v7.0.0 — Context-Aware Intelligence
Highlights
Caspian Security v7.0.0 introduces a context-aware intelligence layer — the scanner now classifies issues with confidence scores, AI fixes understand full function scope, teams can share ignore decisions via .caspianignore, and scan results export to SARIF v2.1.0 for GitHub Security Alerts.
What's New
Smart Context AI Fixes
AI fix prompts now include the entire enclosing function scope and traced variable definitions, extracted via VS Code's DocumentSymbolProvider. The AI sees the full function body instead of just 20 surrounding lines, producing significantly more accurate fixes for complex code.
- Full function body sent to AI (not just ±10 lines)
- Variable definitions traced backwards within function scope
- Security-expert prompt: "Fix the issue within the function scope without breaking the surrounding logic"
- Graceful fallback to 20-line context when no symbol provider is available
Confidence Scoring (Deep Verify)
Each detected issue now receives a confidence classification based on lightweight variable-source analysis:
| Level | Badge | Meaning | Example |
|---|---|---|---|
| Critical | 🔴 Red | Hardcoded secret as a string literal | password = "admin123" |
| Safe | 🟢 Green | Static string with no dynamic input | query = "SELECT * FROM users" |
| Verify Needed | 🟠 Orange | Dynamic value via concatenation or interpolation | query = "SELECT * FROM " + input |
Badges appear in the Results Panel and in VS Code diagnostics (e.g., [Critical] [Secrets] CRED001: ...).
.caspianignore File
Clicking Ignore now persists the decision to a .caspianignore file in the workspace root. Teams can commit this file to version control and share ignore decisions across machines.
# Caspian Security Ignore File
# Format: RULE_CODE file/path.ts:line # optional reason
XSS001 src/app.ts:42 # False positive, sanitized upstream
CRED001 src/config.ts # Test credentials only
- Optional reason prompt on ignore
- Loaded on startup, watched for live changes via FileSystemWatcher
- Matching by rule code + file path (optional line number)
SARIF v2.1.0 Export
New Export SARIF button in the results panel header. Generates a standards-compliant SARIF file that can be uploaded directly to GitHub Security Alerts (Security tab → Code scanning → Upload SARIF).
- Follows OASIS SARIF v2.1.0 specification
- Includes rule definitions, severity mapping, and physical source locations
- Severity mapping: Error →
error, Warning →warning, Info →note
What's Changed
- AI fix prompt uses a security-expert instruction when function scope is available
- Ignore command shows an optional input box for providing a reason before writing to
.caspianignore - Diagnostics display confidence prefix when available (e.g.,
[Critical] [Secrets] CRED001: ...) - Scanner filters out issues matching
.caspianignoreentries before publishing diagnostics
New Commands
- Caspian Security: Export Results to SARIF — export scan results in SARIF v2.1.0 format
New Files
src/contextExtractor.ts— function scope extraction via DocumentSymbolProvidersrc/confidenceAnalyzer.ts— lightweight variable-source confidence classifiersrc/caspianIgnore.ts—.caspianignorefile management (read, write, match)
Full Changelog: https://github.com/Caspian-Explorer/caspian-security/blob/main/CHANGELOG.md